Award-winning news, views, and insight from the ESET security community

Kickstarter, Urbanspoon and Warner Bros among 2,000 sites at risk from “impersonators”

Major websites such as Kickstarter, WarnerBros.com and the online photography community 500px.com are among 2,000 at risk from a vulnerability that could allow attackers to impersonate real users and access their sites, according to a researcher.

Major websites such as Kickstarter, WarnerBros.com and the online photography community 500px.com are among 2,000 at risk from a vulnerability that could allow attackers to impersonate real users and access their sites, according to a researcher.

Major websites such as Kickstarter, WarnerBros.com and the online photography community 500px.com are among 2,000 at risk from a vulnerability that could allow attackers to impersonate real users and access their sites, according to a researcher.

The vulnerability affects sites using Ruby on Rails, a popular open-source web development framework, built, it claims, for “programmer happiness”.

The researcher who initially uncovered the vulnerability has published a list of affected websites this week, including the major names mentioned above, and other popular sites and apps such as My Fitness Pall. The full list is published here on Maverick Blogging.

Researcher G S McNamara has offered to help development teams with the issue, which affects older versions of Ruby on Rails – and has notified sites including KickStarter. McNamara is continuing to research the issue.

The weakness was first uncovered in September, The Register reports, and theoretically allows attackers to impersonate users who have previously logged in.

The problem was uncovered by researcher G S MacNamamara, and is due to the web app’s failure to delete users’ details, stored as cookies, when they leave. MacNamara says, “a malicious user could use the stolen cookie from any authenticated request by the user to log in as them at any point in the future. When a user logs out what happens is not what you would expect. The previous cookie is still valid.”

McNamara describes this as “logout” being “broken by default”, and says that users who fail to lot out of a site when they leave would face particular difficulties. He recommends users change passwords, or admins change the application. The vulnerability is no longer present in Rails versions 4.0 and later.

Threatpost commented that, “As you can imagine, when a user is working on an untrusted network connection or is sharing a computer with someone else, it makes their session extremely vulnerable.”